CCI-003281

Require the developer of the system, system component, or system service to use threat modeling from similar systems, components, or services to inform the current development process.

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process. - the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; supply chain risk management plan; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; threat modeling and vulnerability analyses from similar systems, system components, or system services; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with supply chain risk management responsibilities].

The controls below (if any) were marked by NIST as being related to CCI-003281.